mediawiki/core Security Advisories for 1.34.0 (12)
-
[HIGH] MediaWiki Denial of Service vulnerability
PKSA-wzph-c8jf-dsw9 CVE-2023-45363 GHSA-w5fx-cx7f-6vr9
Affected version: =1.40.0|>=1.36.0,<1.39.5|<1.35.12
Reported by:
GitHub -
[CRITICAL] X-Forwarded-For header allows brute-forcing autoblocked IP addresses
PKSA-sywz-vkhh-67ff CVE-2023-29141 GHSA-5vj8-g3qg-4qh6
Affected version: <1.35.10|>=1.38.0,<1.38.6|>=1.39.0,<1.39.3
Reported by:
GitHub -
[MEDIUM] MediaWiki allows a denial of service
PKSA-qcmj-k84v-rjky CVE-2021-41800 GHSA-c8wv-qwwc-6j73
Affected version: <1.36.2
Reported by:
GitHub -
[MEDIUM] img_auth.php may leak private extension images into the public cache
PKSA-ddy8-wbbj-hqfh CVE-2020-15005 GHSA-xpv7-93cm-4mxv
Affected version: >=1.34.0,<1.34.2|>=1.32.0,<1.33.4|<1.31.8
Reported by:
GitHub -
[MEDIUM] Unescaped message used in HTML within LogEventsList
PKSA-t513-2v8h-wrkx CVE-2020-25815 GHSA-2f58-vf6g-6p8x
Affected version: >=1.34.0,<1.34.3|>=1.34.99,<1.35.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Unescaped message used in HTML on Special:Contributions
PKSA-k79b-82mf-pj31 CVE-2020-25812 GHSA-rj9p-8jxj-2ch4
Affected version: >=1.34.0,<1.34.3|>=1.34.99,<1.35.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML
PKSA-z45m-sh5c-325v CVE-2020-25828 GHSA-h8qx-mj6v-2934
Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3|>=1.34.99,<1.35.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] mw.message.parse() accepts javascript: protocol in wikilinks
PKSA-2scp-v3wb-xcgz CVE-2020-25814 GHSA-4vr7-m8p8-434h
Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3|>=1.34.99,<1.35.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Special:UserRights exposes the existence of hidden users
PKSA-d4kb-dkjp-1n1j CVE-2020-25813 GHSA-c4rj-wrmq-52rj
Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] makeCollapsible allows applying event handler to any CSS selector
PKSA-pvds-fsx9-62mq CVE-2020-10960 GHSA-pfm2-mqwj-ggm5
Affected version: >=1.31.0,<1.31.7|>=1.33.0,<1.33.3|>=1.34.0,<1.34.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] User content can redirect the logout button to different URL
PKSA-49h8-xbh2-gnd6 CVE-2020-10959 GHSA-mqhw-wq8p-vf5r
Affected version: >=1.34.0,<1.34.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] TOTP throttle not enforced cross-wiki
PKSA-mshv-sn4g-n4ty CVE-2020-25827 GHSA-rqvj-fc2x-99q6
Affected version: >=1.31.0,<1.31.9|>=1.34.0,<1.34.3
Reported by:
GitHub, FriendsOfPHP/security-advisories